Could not establish secure channel for SSL/TLS

Our company is facing a problem with an asp.net client connecting to a
web service. Basically we front-end it by a Cisco Content Smart Switch
load balancer which has a SonicWall attached to it to do hardware SSL.
The caller is in the same subnet/dmz as the webservice, but due to
business reasons we need it front ended by this hardware.

For about 99% of our transactions they are sucessful. The problem is
the last 1%. On these 1% of failures, the error message we get is:

"The underlying connection was closed: Could not establish secure
channel for SSL/TLS."

We've already brought this issue to Cisco, and they seem to have found
some strange connection reset problems. Cisco issued us a patch and
we've deployed them to our production environment, however the problem
still persists. I noticed that there are several people with the same
error string of "The underlying connection etc etc". I don't think
it's a certificate installation problem, as the web service works 99%
of the time.

The servers are currently running .net 1.1 sp1. I also confirmed that
the problem exists using .net 1.1, and .net 1.0sp2. They run Windows
2000 AS.

Is there any possible problems with the framework where if a
connection is reset by another device in the network that the
framework tries to use the previous connection it "knows" about,
rather than re-establish a new ssl connection? Once the problem
occurs, the subsequent request for the webservice is sucessful, and
then intermittently the problem occurs again.

Also, could there be a timeout where the established connection closes
on the client, and the framework wants to use the stale connection, at
that point giving the error message?

Advertisements

I still suspect a problem with the client side calling the
webservice-- It looks like the ASP.Net client wants to use a stale
connection.

I built a little script which could hammer the webserice and log all
netstats using port 443. Immediately AFTER the SSL/TLS error occurs,
the old connection goes away and I see a newly established SSL
connection to the CSS load balancer.

For some reason, I suspect the framework wants to use a connection
which has been reset or closed from the other end point or device, so
it can't establish the secure channel that it was previously using.

Again, this problem is intermittent- 99% of the time it works with
SSL, but the odd instance where we lose a transaction (and basically
lose money).

Can someone from the microsoft team look into this? I highly suspect
this is the scenario:
1) ssl connection established and talking (ie. everything looks
good)
2) some network issue causes the connection to reset.
3) connection is reset on the css load balancer
4) connection is NOT reset on the aspnet client
5) aspnet client wants to use the zombied connection
6) Aspnet client errors with "Could not establish secure channel
for SSL/TLS" because the connection it was trying to use a dead
connection to the load balancer.
7) Next call to the webservice re-establishes a new SSL connection

The trick is to verify that on a network connection reset, does the
aspnet client actually know not to use the dead connection. Someone
from Microsoft... please help!!!!

Advertisements

This sounds like a known stale connection issue related to keep-alives in
the client side proxy. Try disabling keep-alives in the generated client
side proxy and let me know if that doesn't help.

Regards

Dan Rogers
Microsoft Corporation
--------------------
>From: (Eddie)
>Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
>Subject: Re: Could not establish secure channel for SSL/TLS
>Date: 19 Oct 2004 23:57:34 -0700
>Organization: http://groups.google.com
>Lines: 36
>Message-ID: <>
>References: <>
>NNTP-Posting-Host: 24.0.210.10
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Trace: posting.google.com 1098255455 32597 127.0.0.1 (20 Oct 2004
06:57:35 GMT)
>X-Complaints-To:
>NNTP-Posting-Date: Wed, 20 Oct 2004 06:57:35 +0000 (UTC)
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!news-out.cwi
x.com!newsfeed.cwix.com!border1.nntp.dca.giganews.com!nntp.giganews.com!news
glorb.com!postnews1.google.com!not-for-mail
>Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:26181
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
>
>I still suspect a problem with the client side calling the
>webservice-- It looks like the ASP.Net client wants to use a stale
>connection.
>
>I built a little script which could hammer the webserice and log all
>netstats using port 443. Immediately AFTER the SSL/TLS error occurs,
>the old connection goes away and I see a newly established SSL
>connection to the CSS load balancer.
>
>For some reason, I suspect the framework wants to use a connection
>which has been reset or closed from the other end point or device, so
>it can't establish the secure channel that it was previously using.
>
>Again, this problem is intermittent- 99% of the time it works with
>SSL, but the odd instance where we lose a transaction (and basically
>lose money).
>
>Can someone from the microsoft team look into this? I highly suspect
>this is the scenario:
> 1) ssl connection established and talking (ie. everything looks
>good)
> 2) some network issue causes the connection to reset.
> 3) connection is reset on the css load balancer
> 4) connection is NOT reset on the aspnet client
> 5) aspnet client wants to use the zombied connection
> 6) Aspnet client errors with "Could not establish secure channel
> for SSL/TLS" because the connection it was trying to use a dead
> connection to the load balancer.
> 7) Next call to the webservice re-establishes a new SSL connection
>
>The trick is to verify that on a network connection reset, does the
>aspnet client actually know not to use the dead connection. Someone
>from Microsoft... please help!!!!
>
>Thanks,
>Eddie
>

Share This Page

Welcome to The Coding Forums!

Welcome to the Coding Forums, the place to chat about anything related to programming and coding languages.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to ask questions about coding or chat with the community and help others.
Sign up now!